Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-5002

getApplicationReport call may raise NPE for removed queues

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.9.0, 3.0.0-alpha1
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      getApplicationReport call may raise NPE

      Exception in thread "main" java.lang.NullPointerException: java.lang.NullPointerException
       org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager.checkAccess(QueueACLsManager.java:57)
       org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.checkAccess(ClientRMService.java:279)
       org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getApplications(ClientRMService.java:760)
       org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getApplications(ClientRMService.java:682)
       org.apache.hadoop.yarn.api.impl.pb.service.ApplicationClientProtocolPBServiceImpl.getApplications(ApplicationClientProtocolPBServiceImpl.java:234)
       org.apache.hadoop.yarn.proto.ApplicationClientProtocol$ApplicationClientProtocolService$2.callBlockingMethod(ApplicationClientProtocol.java:425)
       org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:616)
       org.apache.hadoop.ipc.RPC$Server.call(RPC.java:969)
       org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2268)
       org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2264)
       java.security.AccessController.doPrivileged(Native Method)
       javax.security.auth.Subject.doAs(Subject.java:422)
       org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1708)
       org.apache.hadoop.ipc.Server$Handler.run(Server.java:2262)
      
       sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
       sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
       java.lang.reflect.Constructor.newInstance(Constructor.java:423)
       org.apache.hadoop.yarn.ipc.RPCUtil.instantiateException(RPCUtil.java:53)
       org.apache.hadoop.yarn.ipc.RPCUtil.unwrapAndThrowException(RPCUtil.java:107)
       org.apache.hadoop.yarn.api.impl.pb.client.ApplicationClientProtocolPBClientImpl.getApplications(ApplicationClientProtocolPBClientImpl.java:254)
       sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
       sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       java.lang.reflect.Method.invoke(Method.java:498)
       org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:256)
       org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:104)
       com.sun.proxy.$Proxy18.getApplications(Unknown Source)
       org.apache.hadoop.yarn.client.api.impl.YarnClientImpl.getApplications(YarnClientImpl.java:479)
       org.apache.hadoop.mapred.ResourceMgrDelegate.getAllJobs(ResourceMgrDelegate.java:135)
       org.apache.hadoop.mapred.YARNRunner.getAllJobs(YARNRunner.java:167)
       org.apache.hadoop.mapreduce.Cluster.getAllJobStatuses(Cluster.java:294)
       org.apache.hadoop.mapreduce.tools.CLI.listJobs(CLI.java:553)
       org.apache.hadoop.mapreduce.tools.CLI.run(CLI.java:338)
       org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
       org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:90)
       org.apache.hadoop.mapred.JobClient.main(JobClient.java:1274)
      
      1. YARN-5002.1.patch
        15 kB
        Jian He
      2. YARN-5002.2.patch
        15 kB
        Jian He
      3. YARN-5002.3.patch
        15 kB
        Jian He

        Activity

        Hide
        jianhe Jian He added a comment -

        The issue is that app was first submitted to a queue and finished successfully.
        RM gets restarted without the queue.
        Then, the getApplicationReport for this app will raise NPE because the queue associated with the app does not exist.

        Uploaded a patch to fix the issue.

        Show
        jianhe Jian He added a comment - The issue is that app was first submitted to a queue and finished successfully. RM gets restarted without the queue. Then, the getApplicationReport for this app will raise NPE because the queue associated with the app does not exist. Uploaded a patch to fix the issue.
        Hide
        hadoopqa Hadoop QA added a comment -
        -1 overall



        Vote Subsystem Runtime Comment
        0 reexec 0m 9s Docker mode activated.
        +1 @author 0m 0s The patch does not contain any @author tags.
        +1 test4tests 0m 0s The patch appears to include 3 new or modified test files.
        +1 mvninstall 6m 25s trunk passed
        +1 compile 0m 27s trunk passed with JDK v1.8.0_92
        +1 compile 0m 29s trunk passed with JDK v1.7.0_95
        +1 checkstyle 0m 18s trunk passed
        +1 mvnsite 0m 34s trunk passed
        +1 mvneclipse 0m 13s trunk passed
        +1 findbugs 1m 3s trunk passed
        +1 javadoc 0m 19s trunk passed with JDK v1.8.0_92
        +1 javadoc 0m 25s trunk passed with JDK v1.7.0_95
        +1 mvninstall 0m 28s the patch passed
        +1 compile 0m 24s the patch passed with JDK v1.8.0_92
        +1 javac 0m 24s the patch passed
        +1 compile 0m 26s the patch passed with JDK v1.7.0_95
        +1 javac 0m 26s the patch passed
        +1 checkstyle 0m 15s the patch passed
        +1 mvnsite 0m 32s the patch passed
        +1 mvneclipse 0m 11s the patch passed
        +1 whitespace 0m 0s Patch has no whitespace issues.
        +1 findbugs 1m 13s the patch passed
        +1 javadoc 0m 18s the patch passed with JDK v1.8.0_92
        +1 javadoc 0m 22s the patch passed with JDK v1.7.0_95
        -1 unit 75m 12s hadoop-yarn-server-resourcemanager in the patch failed with JDK v1.8.0_92.
        -1 unit 76m 25s hadoop-yarn-server-resourcemanager in the patch failed with JDK v1.7.0_95.
        +1 asflicense 0m 15s Patch does not generate ASF License warnings.
        167m 19s



        Reason Tests
        JDK v1.8.0_92 Failed junit tests hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesAppsModification
          hadoop.yarn.server.resourcemanager.TestClientRMTokens
          hadoop.yarn.server.resourcemanager.scheduler.fair.TestFairSchedulerQueueACLs
          hadoop.yarn.server.resourcemanager.TestMoveApplication
          hadoop.yarn.server.resourcemanager.TestAMAuthorization
        JDK v1.8.0_92 Timed out junit tests org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesNodes
        JDK v1.7.0_95 Failed junit tests hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesAppsModification
          hadoop.yarn.server.resourcemanager.TestClientRMTokens
          hadoop.yarn.server.resourcemanager.scheduler.fair.TestFairSchedulerQueueACLs
          hadoop.yarn.server.resourcemanager.TestMoveApplication
          hadoop.yarn.server.resourcemanager.TestAMAuthorization
        JDK v1.7.0_95 Timed out junit tests org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesNodes



        Subsystem Report/Notes
        Docker Image:yetus/hadoop:fbe3e86
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12800916/YARN-5002.1.patch
        JIRA Issue YARN-5002
        Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
        uname Linux 24a75f482242 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
        Build tool maven
        Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
        git revision trunk / fc94810
        Default Java 1.7.0_95
        Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_92 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_95
        findbugs v3.0.0
        unit https://builds.apache.org/job/PreCommit-YARN-Build/11236/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.8.0_92.txt
        unit https://builds.apache.org/job/PreCommit-YARN-Build/11236/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.7.0_95.txt
        unit test logs https://builds.apache.org/job/PreCommit-YARN-Build/11236/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.8.0_92.txt https://builds.apache.org/job/PreCommit-YARN-Build/11236/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.7.0_95.txt
        JDK v1.7.0_95 Test Results https://builds.apache.org/job/PreCommit-YARN-Build/11236/testReport/
        modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager
        Console output https://builds.apache.org/job/PreCommit-YARN-Build/11236/console
        Powered by Apache Yetus 0.2.0 http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 9s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 3 new or modified test files. +1 mvninstall 6m 25s trunk passed +1 compile 0m 27s trunk passed with JDK v1.8.0_92 +1 compile 0m 29s trunk passed with JDK v1.7.0_95 +1 checkstyle 0m 18s trunk passed +1 mvnsite 0m 34s trunk passed +1 mvneclipse 0m 13s trunk passed +1 findbugs 1m 3s trunk passed +1 javadoc 0m 19s trunk passed with JDK v1.8.0_92 +1 javadoc 0m 25s trunk passed with JDK v1.7.0_95 +1 mvninstall 0m 28s the patch passed +1 compile 0m 24s the patch passed with JDK v1.8.0_92 +1 javac 0m 24s the patch passed +1 compile 0m 26s the patch passed with JDK v1.7.0_95 +1 javac 0m 26s the patch passed +1 checkstyle 0m 15s the patch passed +1 mvnsite 0m 32s the patch passed +1 mvneclipse 0m 11s the patch passed +1 whitespace 0m 0s Patch has no whitespace issues. +1 findbugs 1m 13s the patch passed +1 javadoc 0m 18s the patch passed with JDK v1.8.0_92 +1 javadoc 0m 22s the patch passed with JDK v1.7.0_95 -1 unit 75m 12s hadoop-yarn-server-resourcemanager in the patch failed with JDK v1.8.0_92. -1 unit 76m 25s hadoop-yarn-server-resourcemanager in the patch failed with JDK v1.7.0_95. +1 asflicense 0m 15s Patch does not generate ASF License warnings. 167m 19s Reason Tests JDK v1.8.0_92 Failed junit tests hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesAppsModification   hadoop.yarn.server.resourcemanager.TestClientRMTokens   hadoop.yarn.server.resourcemanager.scheduler.fair.TestFairSchedulerQueueACLs   hadoop.yarn.server.resourcemanager.TestMoveApplication   hadoop.yarn.server.resourcemanager.TestAMAuthorization JDK v1.8.0_92 Timed out junit tests org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesNodes JDK v1.7.0_95 Failed junit tests hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesAppsModification   hadoop.yarn.server.resourcemanager.TestClientRMTokens   hadoop.yarn.server.resourcemanager.scheduler.fair.TestFairSchedulerQueueACLs   hadoop.yarn.server.resourcemanager.TestMoveApplication   hadoop.yarn.server.resourcemanager.TestAMAuthorization JDK v1.7.0_95 Timed out junit tests org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesNodes Subsystem Report/Notes Docker Image:yetus/hadoop:fbe3e86 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12800916/YARN-5002.1.patch JIRA Issue YARN-5002 Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 24a75f482242 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / fc94810 Default Java 1.7.0_95 Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_92 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_95 findbugs v3.0.0 unit https://builds.apache.org/job/PreCommit-YARN-Build/11236/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.8.0_92.txt unit https://builds.apache.org/job/PreCommit-YARN-Build/11236/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.7.0_95.txt unit test logs https://builds.apache.org/job/PreCommit-YARN-Build/11236/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.8.0_92.txt https://builds.apache.org/job/PreCommit-YARN-Build/11236/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.7.0_95.txt JDK v1.7.0_95 Test Results https://builds.apache.org/job/PreCommit-YARN-Build/11236/testReport/ modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager Console output https://builds.apache.org/job/PreCommit-YARN-Build/11236/console Powered by Apache Yetus 0.2.0 http://yetus.apache.org This message was automatically generated.
        Hide
        templedf Daniel Templeton added a comment -

        Thanks for posting the patch, Jian He. I have a few concerns:

        1. You can't hard-code the capacity scheduler into the RM. The code has to use whatever scheduler is selected.
        2. From a security perspective it's better to deny access to an app if we can't find the queue. We should probably log an INFO or DEBUG level message when that happens so that there's a paper trail.
        3. This:
            final ApplicationReport[] report = { null };
            user2.doAs(new PrivilegedAction<ApplicationReport>() {
              @Override
              public ApplicationReport run() {
                try {
                  report[0] = rm2.getApplicationReport(app1.getApplicationId());
                } catch (Exception e) {
                  e.printStackTrace();
                }
                return report[0];
              }
            });
        

        seems a bit convoluted. How about just:

            ApplicationReport report =
                user2.doAs(new PrivilegedExceptionAction<ApplicationReport>() {
                  @Override
                  public ApplicationReport run() throws Exception {
                    return rm2.getApplicationReport(app1.getApplicationId());
                  }
                });
        
        Show
        templedf Daniel Templeton added a comment - Thanks for posting the patch, Jian He . I have a few concerns: You can't hard-code the capacity scheduler into the RM. The code has to use whatever scheduler is selected. From a security perspective it's better to deny access to an app if we can't find the queue. We should probably log an INFO or DEBUG level message when that happens so that there's a paper trail. This: final ApplicationReport[] report = { null }; user2.doAs( new PrivilegedAction<ApplicationReport>() { @Override public ApplicationReport run() { try { report[0] = rm2.getApplicationReport(app1.getApplicationId()); } catch (Exception e) { e.printStackTrace(); } return report[0]; } }); seems a bit convoluted. How about just: ApplicationReport report = user2.doAs( new PrivilegedExceptionAction<ApplicationReport>() { @Override public ApplicationReport run() throws Exception { return rm2.getApplicationReport(app1.getApplicationId()); } });
        Hide
        jianhe Jian He added a comment -

        Daniel Templeton, thanks for the review

        You can't hard-code the capacity scheduler into the RM

        yeah, missed this, even unit test failed because of this. fixed it.

        From a security perspective it's better to deny access to an app if we can't find the queue.

        I don't have strong opinion on this. Problem with denying access is that these apps will never be able to be viewed. changed it anyway.

        Show
        jianhe Jian He added a comment - Daniel Templeton , thanks for the review You can't hard-code the capacity scheduler into the RM yeah, missed this, even unit test failed because of this. fixed it. From a security perspective it's better to deny access to an app if we can't find the queue. I don't have strong opinion on this. Problem with denying access is that these apps will never be able to be viewed. changed it anyway.
        Hide
        hadoopqa Hadoop QA added a comment -
        -1 overall



        Vote Subsystem Runtime Comment
        0 reexec 0m 0s Docker mode activated.
        -1 docker 4m 53s Docker failed to build yetus/hadoop:7b1c37a.



        Subsystem Report/Notes
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12801079/YARN-5002.2.patch
        JIRA Issue YARN-5002
        Console output https://builds.apache.org/job/PreCommit-YARN-Build/11243/console
        Powered by Apache Yetus 0.2.0 http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 0s Docker mode activated. -1 docker 4m 53s Docker failed to build yetus/hadoop:7b1c37a. Subsystem Report/Notes JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12801079/YARN-5002.2.patch JIRA Issue YARN-5002 Console output https://builds.apache.org/job/PreCommit-YARN-Build/11243/console Powered by Apache Yetus 0.2.0 http://yetus.apache.org This message was automatically generated.
        Hide
        sunilg Sunil G added a comment -

        Hi Jian He
        I have one doubt here overall about this part.

        checkAccess is invoked from forceKillApplication etc. And if checkAccess returns false, it is been raised as access control exception.

        But in reality issue was because of a non-existent queue after restart. Eventhough its logged, from client side exception seems like not accurate. Could this be a problem, how do you feel?

        Show
        sunilg Sunil G added a comment - Hi Jian He I have one doubt here overall about this part. checkAccess is invoked from forceKillApplication etc. And if checkAccess returns false , it is been raised as access control exception. But in reality issue was because of a non-existent queue after restart. Eventhough its logged, from client side exception seems like not accurate. Could this be a problem, how do you feel?
        Hide
        jianhe Jian He added a comment -

        yeah, it is indeed confusing, earlier viewable applications becomes not viewable if the queue gets removed. I think the non-existing queue should be treated explicitly instead of imbedding in the logic of access control. The fact that the queue is removed probably means the apps in that queue is of less concern in terms of ACLs. For this patch, I think I'll still return true if queue does not exist for the sake of usability.

        Show
        jianhe Jian He added a comment - yeah, it is indeed confusing, earlier viewable applications becomes not viewable if the queue gets removed. I think the non-existing queue should be treated explicitly instead of imbedding in the logic of access control. The fact that the queue is removed probably means the apps in that queue is of less concern in terms of ACLs. For this patch, I think I'll still return true if queue does not exist for the sake of usability.
        Hide
        hadoopqa Hadoop QA added a comment -
        -1 overall



        Vote Subsystem Runtime Comment
        0 reexec 0m 0s Docker mode activated.
        -1 docker 0m 2s Docker failed to build yetus/hadoop:7b1c37a.



        Subsystem Report/Notes
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12801098/YARN-5002.3.patch
        JIRA Issue YARN-5002
        Console output https://builds.apache.org/job/PreCommit-YARN-Build/11248/console
        Powered by Apache Yetus 0.2.0 http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 0s Docker mode activated. -1 docker 0m 2s Docker failed to build yetus/hadoop:7b1c37a. Subsystem Report/Notes JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12801098/YARN-5002.3.patch JIRA Issue YARN-5002 Console output https://builds.apache.org/job/PreCommit-YARN-Build/11248/console Powered by Apache Yetus 0.2.0 http://yetus.apache.org This message was automatically generated.
        Hide
        templedf Daniel Templeton added a comment -

        Security and usability are rarely in agreement. Unfortunately, security carries a bigger stick.

        I like the suggestion of handling the issue above the level of access control. It seems to me that this issue is most appropriately handled in the recovery code. If a recovered application's queue doesn't exist, do something smart with it there.

        Show
        templedf Daniel Templeton added a comment - Security and usability are rarely in agreement. Unfortunately, security carries a bigger stick. I like the suggestion of handling the issue above the level of access control. It seems to me that this issue is most appropriately handled in the recovery code. If a recovered application's queue doesn't exist, do something smart with it there.
        Hide
        leftnoteasy Wangda Tan added a comment -

        Echo Jian He's comment: I would also prefer existing approach: if queue is removed, ACL to view these apps from removed queue should be *, otherwise apps will be disappeared from any user's perspective. And this is the previous behavior too.

        A more comprehensive approach is to record configuration to state-store. In short term, attached fix looks good.

        Show
        leftnoteasy Wangda Tan added a comment - Echo Jian He 's comment: I would also prefer existing approach: if queue is removed, ACL to view these apps from removed queue should be *, otherwise apps will be disappeared from any user's perspective. And this is the previous behavior too. A more comprehensive approach is to record configuration to state-store. In short term, attached fix looks good.
        Hide
        templedf Daniel Templeton added a comment -

        If I submit a mapreduce job to a secure queue that has my S3 credentials in the output path, I'm gonna be pretty pissed if some admin deleting a queue causes my credentials to be exposed.

        Show
        templedf Daniel Templeton added a comment - If I submit a mapreduce job to a secure queue that has my S3 credentials in the output path, I'm gonna be pretty pissed if some admin deleting a queue causes my credentials to be exposed.
        Hide
        jianhe Jian He added a comment -

        S3 credentials in the output path.

        sorry, could you clarify what you mean? what output path are you referring to ? This is to say whether the user can view the YARN app meta info from the UI or command line. Also, the original app_view acl is still taking effect. Also, I think user app should not rely on the yarn queue acl for their app access control in the first place.

        Show
        jianhe Jian He added a comment - S3 credentials in the output path. sorry, could you clarify what you mean? what output path are you referring to ? This is to say whether the user can view the YARN app meta info from the UI or command line. Also, the original app_view acl is still taking effect. Also, I think user app should not rely on the yarn queue acl for their app access control in the first place.
        Hide
        hadoopqa Hadoop QA added a comment -
        -1 overall



        Vote Subsystem Runtime Comment
        0 reexec 0m 10s Docker mode activated.
        +1 @author 0m 0s The patch does not contain any @author tags.
        +1 test4tests 0m 0s The patch appears to include 3 new or modified test files.
        +1 mvninstall 6m 4s trunk passed
        +1 compile 0m 24s trunk passed with JDK v1.8.0_92
        +1 compile 0m 26s trunk passed with JDK v1.7.0_95
        +1 checkstyle 0m 17s trunk passed
        +1 mvnsite 0m 31s trunk passed
        +1 mvneclipse 0m 12s trunk passed
        +1 findbugs 0m 59s trunk passed
        +1 javadoc 0m 19s trunk passed with JDK v1.8.0_92
        +1 javadoc 0m 24s trunk passed with JDK v1.7.0_95
        +1 mvninstall 0m 27s the patch passed
        +1 compile 0m 23s the patch passed with JDK v1.8.0_92
        +1 javac 0m 23s the patch passed
        +1 compile 0m 25s the patch passed with JDK v1.7.0_95
        +1 javac 0m 25s the patch passed
        -1 checkstyle 0m 14s hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager: patch generated 2 new + 70 unchanged - 0 fixed = 72 total (was 70)
        +1 mvnsite 0m 30s the patch passed
        +1 mvneclipse 0m 10s the patch passed
        +1 whitespace 0m 0s Patch has no whitespace issues.
        +1 findbugs 1m 12s the patch passed
        +1 javadoc 0m 18s the patch passed with JDK v1.8.0_92
        +1 javadoc 0m 21s the patch passed with JDK v1.7.0_95
        -1 unit 44m 29s hadoop-yarn-server-resourcemanager in the patch failed with JDK v1.8.0_92.
        -1 unit 44m 16s hadoop-yarn-server-resourcemanager in the patch failed with JDK v1.7.0_95.
        +1 asflicense 0m 17s Patch does not generate ASF License warnings.
        103m 45s



        Reason Tests
        JDK v1.8.0_92 Failed junit tests hadoop.yarn.server.resourcemanager.TestAMAuthorization
          hadoop.yarn.server.resourcemanager.applicationsmanager.TestAMRestart
          hadoop.yarn.server.resourcemanager.TestClientRMTokens
        JDK v1.8.0_92 Timed out junit tests org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesNodes
        JDK v1.7.0_95 Failed junit tests hadoop.yarn.server.resourcemanager.TestAMAuthorization
          hadoop.yarn.server.resourcemanager.TestContainerResourceUsage
          hadoop.yarn.server.resourcemanager.TestClientRMTokens
        JDK v1.7.0_95 Timed out junit tests org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesNodes



        Subsystem Report/Notes
        Docker Image:yetus/hadoop:cf2ee45
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12801098/YARN-5002.3.patch
        JIRA Issue YARN-5002
        Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
        uname Linux 8dfc0c859155 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
        Build tool maven
        Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
        git revision trunk / 6243eab
        Default Java 1.7.0_95
        Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_92 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_95
        findbugs v3.0.0
        checkstyle https://builds.apache.org/job/PreCommit-YARN-Build/11270/artifact/patchprocess/diff-checkstyle-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager.txt
        unit https://builds.apache.org/job/PreCommit-YARN-Build/11270/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.8.0_92.txt
        unit https://builds.apache.org/job/PreCommit-YARN-Build/11270/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.7.0_95.txt
        unit test logs https://builds.apache.org/job/PreCommit-YARN-Build/11270/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.8.0_92.txt https://builds.apache.org/job/PreCommit-YARN-Build/11270/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.7.0_95.txt
        JDK v1.7.0_95 Test Results https://builds.apache.org/job/PreCommit-YARN-Build/11270/testReport/
        modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager
        Console output https://builds.apache.org/job/PreCommit-YARN-Build/11270/console
        Powered by Apache Yetus 0.2.0 http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 10s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 3 new or modified test files. +1 mvninstall 6m 4s trunk passed +1 compile 0m 24s trunk passed with JDK v1.8.0_92 +1 compile 0m 26s trunk passed with JDK v1.7.0_95 +1 checkstyle 0m 17s trunk passed +1 mvnsite 0m 31s trunk passed +1 mvneclipse 0m 12s trunk passed +1 findbugs 0m 59s trunk passed +1 javadoc 0m 19s trunk passed with JDK v1.8.0_92 +1 javadoc 0m 24s trunk passed with JDK v1.7.0_95 +1 mvninstall 0m 27s the patch passed +1 compile 0m 23s the patch passed with JDK v1.8.0_92 +1 javac 0m 23s the patch passed +1 compile 0m 25s the patch passed with JDK v1.7.0_95 +1 javac 0m 25s the patch passed -1 checkstyle 0m 14s hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager: patch generated 2 new + 70 unchanged - 0 fixed = 72 total (was 70) +1 mvnsite 0m 30s the patch passed +1 mvneclipse 0m 10s the patch passed +1 whitespace 0m 0s Patch has no whitespace issues. +1 findbugs 1m 12s the patch passed +1 javadoc 0m 18s the patch passed with JDK v1.8.0_92 +1 javadoc 0m 21s the patch passed with JDK v1.7.0_95 -1 unit 44m 29s hadoop-yarn-server-resourcemanager in the patch failed with JDK v1.8.0_92. -1 unit 44m 16s hadoop-yarn-server-resourcemanager in the patch failed with JDK v1.7.0_95. +1 asflicense 0m 17s Patch does not generate ASF License warnings. 103m 45s Reason Tests JDK v1.8.0_92 Failed junit tests hadoop.yarn.server.resourcemanager.TestAMAuthorization   hadoop.yarn.server.resourcemanager.applicationsmanager.TestAMRestart   hadoop.yarn.server.resourcemanager.TestClientRMTokens JDK v1.8.0_92 Timed out junit tests org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesNodes JDK v1.7.0_95 Failed junit tests hadoop.yarn.server.resourcemanager.TestAMAuthorization   hadoop.yarn.server.resourcemanager.TestContainerResourceUsage   hadoop.yarn.server.resourcemanager.TestClientRMTokens JDK v1.7.0_95 Timed out junit tests org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesNodes Subsystem Report/Notes Docker Image:yetus/hadoop:cf2ee45 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12801098/YARN-5002.3.patch JIRA Issue YARN-5002 Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 8dfc0c859155 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 6243eab Default Java 1.7.0_95 Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_92 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_95 findbugs v3.0.0 checkstyle https://builds.apache.org/job/PreCommit-YARN-Build/11270/artifact/patchprocess/diff-checkstyle-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager.txt unit https://builds.apache.org/job/PreCommit-YARN-Build/11270/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.8.0_92.txt unit https://builds.apache.org/job/PreCommit-YARN-Build/11270/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.7.0_95.txt unit test logs https://builds.apache.org/job/PreCommit-YARN-Build/11270/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.8.0_92.txt https://builds.apache.org/job/PreCommit-YARN-Build/11270/artifact/patchprocess/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdk1.7.0_95.txt JDK v1.7.0_95 Test Results https://builds.apache.org/job/PreCommit-YARN-Build/11270/testReport/ modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager Console output https://builds.apache.org/job/PreCommit-YARN-Build/11270/console Powered by Apache Yetus 0.2.0 http://yetus.apache.org This message was automatically generated.
        Hide
        jianhe Jian He added a comment -

        Daniel Templeton, mind checking my last comment or do you have more concern ?

        Show
        jianhe Jian He added a comment - Daniel Templeton , mind checking my last comment or do you have more concern ?
        Hide
        sunilg Sunil G added a comment -

        Patch looks fine for me. For short term, this will be fine. I think we need to revive the config data store as we are running in to these issue more recently.

        Show
        sunilg Sunil G added a comment - Patch looks fine for me. For short term, this will be fine. I think we need to revive the config data store as we are running in to these issue more recently.
        Hide
        leftnoteasy Wangda Tan added a comment -

        +1 to latest patch.

        Show
        leftnoteasy Wangda Tan added a comment - +1 to latest patch.
        Hide
        kasha Karthik Kambatla added a comment -

        For ACLs, I would like to think we enforce the same checks for running and completed applications.

        Wearing my ASF hat, I would like for us to handle this in a consistent way. Wearing my Cloudera hat, this is okay by me since the fix is CapacityScheduler-only.

        Show
        kasha Karthik Kambatla added a comment - For ACLs, I would like to think we enforce the same checks for running and completed applications. Wearing my ASF hat, I would like for us to handle this in a consistent way. Wearing my Cloudera hat, this is okay by me since the fix is CapacityScheduler-only.
        Hide
        leftnoteasy Wangda Tan added a comment -

        Karthik Kambatla,

        We totally agree that enforce same ACL for running and completed applications in removed queues is the best solution. However, since we don't store ACL info for removed queues today, we cannot get ACL info for removed queues.

        I would like to suggest to fix this NPE issue first, and for the longer term, after we can store ACL info for removed queues as well, we can enforce same ACL check.

        Thoughts?

        Show
        leftnoteasy Wangda Tan added a comment - Karthik Kambatla , We totally agree that enforce same ACL for running and completed applications in removed queues is the best solution. However, since we don't store ACL info for removed queues today, we cannot get ACL info for removed queues. I would like to suggest to fix this NPE issue first, and for the longer term, after we can store ACL info for removed queues as well, we can enforce same ACL check. Thoughts?
        Hide
        leftnoteasy Wangda Tan added a comment -

        Committed to trunk/branch-2 to handle the NPE issue.

        Thanks Jian He working on the patch, thanks reviews from Daniel Templeton/Karthik Kambatla/Sunil G!

        Karthik Kambatla, if you think we need to handle ACLs for removed queues better, could you file a separate JIRA to improve it (like store ACL info for queues)?

        Show
        leftnoteasy Wangda Tan added a comment - Committed to trunk/branch-2 to handle the NPE issue. Thanks Jian He working on the patch, thanks reviews from Daniel Templeton / Karthik Kambatla / Sunil G ! Karthik Kambatla , if you think we need to handle ACLs for removed queues better, could you file a separate JIRA to improve it (like store ACL info for queues)?
        Hide
        andrew.wang Andrew Wang added a comment -

        FYI for git log greppers, this one is missing the JIRA ID in commit message.

        Show
        andrew.wang Andrew Wang added a comment - FYI for git log greppers, this one is missing the JIRA ID in commit message.

          People

          • Assignee:
            jianhe Jian He
            Reporter:
            ssathish@hortonworks.com Sumana Sathish
          • Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development